Carnegie  Mellon 

Software  Engineering  Institute 

OCTAVE®-S  Implementation 
Guide,  Version  1.0 


Volume  1 :  Introduction  to 
OCTAVE-S 

Christopher  Alberts 
Audrey  Dorofee 
James  Stevens 
Carol  Woody 

January  2005 


DISTRIBUTION  STATEMENT  A 

Approved  for  Public  Release 
Distribution  Unlimited 


HANDBOOK 

CMU/SEI-2003-HB-003 


Carnegie  Mel  Ion 

Software  Engineering  Institute 

Pittsburgh,  PA  15213-3890 


OCTAVE®-S  Implementation 
Guide,  Version  1 .0 

Volume  1 :  Introduction  to 
OCTAVE-S 

CMU/SEI-2003-HB-003 


Christopher  Alberts 
Audrey  Dorofee 
James  Stevens 
Carol  Woody 

January  2005 


Networked  Systems  Survivability  Program 


Unlimited  distribution  subject  to  the  copyright. 


20050322  123 


This  report  was  prepared  for  the 


SEI  Joint  Program  Office 
ESC/XPK 
5  Eglin  Street 

Hanscom  AFB,  MA  01731-2100 

The  ideas  and  findings  in  this  report  should  not  be  construed  as  an  official  DoD  position.  It  is  published  m  the 
interest  of  scientific  and  technical  information  exchange. 


FOR  THE  COMMANDER 


Christos  Scondras 
Chief  of  Programs,  XPK 


This  work  is  sponsored  by  the  U.S.  Department  of  Defense.  The  Software  Engineering  Institute  is  a 
federally  funded  research  and  development  center  sponsored  by  the  U.S.  Department  of  Defense. 

Copyright  2005  by  Carnegie  Mellon  University. 

®  OCTAVE  is  registered  in  the  U.S.  Patent  &  Trademark  Office  by  Carnegie  Mellon  University. 

SM  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  is  a  service  mark  of  Carnegie  Mellon  University. 


NO  WARRANTY 


INU  I  I 

THIS  CARNEGIE  MELLON  UNIVERSITY  AND  SOFTWARE  ENGINEERING  INSTITUTE  MATERIM.  IS 
FURNISHED  ON  AN  "AS-IS"  BASIS.  CARNEGIE  MELLON  UNIVERSITY  MAKES  NO  WARRANTIES 
SySd EITHER EXPRESSED  OR  IMPLIED,  AS  TO  ANY  MATTER  INCLUDING  BUT  NOT 
LIMITED  TO  WARRANTY  OF  FITNESS  FOR  PURPOSE  OR  MERCHANTABILITY,  EXCLUSIVITY,  OR 
ml^LTS  OBTAlSJreOM  USE  OF  THE  MATERIAL.  CARNEGIE  MELLON  UNIVERSITY  DOES 
NOT  MAKE  ANY  WARRANTY  OF  ANY  KIND  WITH  RESPECT  TO  FREEDOM  FROM  PATENT, 
TRADEMARK,  OR  COPYRIGHT  INFRINGEMENT. 


Use  of  any  trademarks  in  this  report  is  not  intended  in  any  way  to  infringe  on  the  rights  of  the  trademark  holder. 


Internal  use.  Permission  to  reproduce  this  document 
granted,  provided  the  copyright  and  "No  Warranty" 


and  to  prepare  derivative  works  from  this  document  for  internal  use  is 
statements  are  included  with  all  reproductions  and  derivative  works. 


External  use.  Requests  for  permission  to  reproduce  this  document  or  prepare  derivative  works  of  this  document  for  external 
and  commercial  use  should  be  addressed  to  the  SEI  Licensing  Agent. 


This  work  was  created  in  the  performance  of  Federal  Government  Contract  Number  F19628-00-C-0003  with  Carnegie  Mel¬ 
lon  University  for  the  operation  of  the  Software  Engineering  Institute,  a  federally  funded  research  and  development  center 
The  Government  of  the  United  States  has  a  royalty-free  government-purpose  license  to  use,  duplicate,  or  disclose  the  work, 
in  whole  or  in  part  and  in  any  manner,  and  to  have  or  permit  others  to  do  so,  for  government  purposes  pursuant  to  the  copy- 
right  license  under  the  clause  at  252.227-7013. 


For  information  about  purchasing  paper  copies  of  SEI  reports,  please  visit  the  publications  portion  of  our  Web  site 

(http://www.sei.cmu.edu/publications/pubweb.html). 


OCTAVE-S  V1.0 


Table  of  Contents 


Table  of  Contents 


About  This  Document . VM 

Acknowledgements . ix 

Abstract . x‘ 

1  Purpose  and  Scope . 

2  What  Is  OCTAVE-S? . 3 

2.1  Overview  of  the  OCTAVE  Approach . 3 

2.2  Overview  of  OCTAVE-S . 3 

2.3  OCTAVE-S  Process . 5 

2.3.1  Phase  1 :  Build  Asset-Based  Threat  Profiles . 5 

2.3.2  Phase  2:  Identify  Infrastructure  Vulnerabilities . 5 

2.3.3  Phase  3:  Develop  Security  Strategy  and  Plans . 6 

2.4  OCTAVE-S  Outputs . 6 

2.5  Scope  of  Application . 7 

2.5.1  Should  You  Use  OCTAVE-S? . 8 

2.5.2  Words  of  Caution . 9 

3  Available  Materials . 1 1 

3.1  Navigation  Aid  for  Downloadable  Materials . 11 

3.2  Additional  Sources  of  Help . 21 

References . 23 


CMU/SEI-2003-HB-003  Volume  1  ' 


Table  of  Contents 


OCTAVE-S  V1.0 


CMU/SEI-2003-HB-003  Volume  1 


OCTAVE-S  V1.0 


List  of  Figures 


List  of  Figures 


Figure  1 :  OCTAVE-S  Emphasizes  Operational  Risk  and  Security  Practices 


CMU/SEI-2003-HB-003  Volume  1 


List  of  Figures 


OCTAVE-S  V1.0 


CMU/SEI-2003-HB-003  Volume  1 


OCTAVE-S  V1.0 


List  of  Tables 


List  of  Tables 

Table  1 :  Key  Differences  Between  OCTAVE  and  Other  Approaches . 4 

Table  2:  Processes  and  Activities  of  Phase  1 . 6 

Table  3:  Processes  and  Activities  of  Phase  2 . 6 

Table  4:  Processes  and  Activities  of  Phase  3 . 7 


CMU/SEI-2003-HB-003  Volume  1 


V 


List  of  Tables 


OCTAVE-S  V1.0 


CMU/SEI-2003-HB-003  Volume  1 


OCTAVE-S  V1.0 


About  This  Document 


About  This  Document 


This  document  is  Volume  1  of  the  OCTAVE-S  Implementation  Guide,  a  10-volume  handbook 

supporting  the  OCTAVE-S  methodology.  This  volume  provides  an  overview  of  OCTAVE-S 

and  is  written  for  people  who  already  have  some  familiarity  with  the  basic  concepts  and  prin¬ 
ciples  of  the  OCTAVE  approach. 

The  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  —  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  —  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 
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Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation15”  (OCTAVE®)  ap- 
proach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume  re¬ 
sponsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small  or¬ 
ganizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team  (three 
to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information,  producing 
a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique  operational  se¬ 
curity  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad  knowledge  of  the 
organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct  all  activities  by 
itself. 
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Purpose 


1  Purpose  and  Scope 


This  document  is  the  first  volume  of  the  OCTAVE-S  Implementation  Guide.  In  all,  the  guide 
contains  10  volumes  of  material  supporting  the  Operationally  Critical  Threat,  Asset,  and  Vul¬ 
nerability  EvaluationSM  (OCTAVE®)-S  methodology,  including  background  materials,  guid¬ 
ance,  worksheets,  and  a  detailed  example  scenario.  The  purpose  of  this  document  is  to 

•  provide  readers  with  a  basic  understanding  of  the  OCTAVE-S,  v0.9,  methodology 

•  assist  readers  in  determining  whether  OCTAVE-S,  v0.9,  is  appropriate  for  their  organiza¬ 
tions 

OCTAVE-S  and  the  OCTAVE  Method  are  two  methods  developed  at  the  Software  Engineer¬ 
ing  Institute  (SEIsm)  consistent  with  the  OCTAVE  criteria,  the  essential  requirements  of  an 
asset-based,  strategic  assessment  of  information  security  risk.  The  OCTAVE  Method  was 
developed  first  and  applies  to  large,  hierarchical  organizations.  Volume  1  of  the  OCTAVE 
Method  Implementation  Guide  [Alberts  Ola]  provides  an  introduction  to  that  method. 
OCTAVE-S  was  developed  to  meet  the  needs  of  smaller,  less  hierarchical  organizations.  The 
document  Introduction  to  the  OCTAVE  Approach  [Alberts  03]  provides  a  more  comprehen¬ 
sive  overview  of  the  OCTAVE  approach  and  SEI’s  OCTAVE-consistent  methodologies. 

People  unfamiliar  with  the  OCTAVE  approach  should  read  the  Introduction  to  the  OCTAVE 
Approach  before  deciding  which  method  is  best  suited  to  their  organization.  This  version  of 
the  OCTAVE-S  Implementation  Guide  is  written  for  people  who  already  have  some  familiar¬ 
ity  with  the  basic  concepts  and  principles  of  OCTAVE.  For  example,  anyone  already  familiar 
with  the  OCTAVE  Method  will  likely  find  OCTAVE-S  to  be  relatively  easy  to  understand 
and  use,  since  both  methods  share  a  common  basis. 

Note  that  there  are  only  very  minor  differences  between  OCTAVE-S  v0.9  and  vl.O.  These 
consist  primarily  of  editorial  changes.  There  was  one  correction  to  Volumes  9  and  10,  step 
25,  Collaborative  Security  Management,  Staff  Awareness.  The  last  sentence  had  the  phrase 
“contingency,  disaster  recovery,  and  business  continuity  plans  ”  changed  to  “collaborative 
security  management  policies  and  procedures.  ” 


SM  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  and  SEI  are  service  marks  of 
Carnegie  Mellon  University. 

®  OCTAVE  is  registered  in  the  United  States  Patent  and  Trademark  Office  by  Carnegie  Mellon  Uni¬ 
versity. 
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2  What  Is  OCTAVE-S? 


This  section  provides  an  overview  of  OCTAVE-S,  highlighting  the  basic  process,  outputs, 
and  scope  of  application.  However,  before  looking  specifically  at  OCTAVE-S,  a  brief  over¬ 
view  of  the  OCTAVE  approach  is  provided  for  additional  context. 

2.1  Overview  of  the  OCTAVE  Approach 

For  an  organization  looking  to  understand  its  information  security  needs,  OCTAVE  is  a  risk- 
based  strategic  assessment  and  planning  technique  for  security.  OCTAVE  is  self  directed, 
meaning  that  people  from  an  organization  assume  responsibility  for  setting  the  organization’s 
security  strategy.  The  technique  leverages  people’s  knowledge  of  their  organization  s  secu¬ 
rity-related  practices  and  processes  to  capture  the  current  state  of  security  practice  within  the 
organization.  Risks  to  the  most  critical  assets  are  used  to  prioritize  areas  of  improvement  and 
set  the  security  strategy  for  the  organization. 

Unlike  typical  technology-focused  assessments,  which  are  targeted  at  technological  risk  and 
focused  on  tactical  issues,  OCTAVE  is  targeted  at  organizational  risk  and  focused  on  strate¬ 
gic,  practice-related  issues.  It  is  a  flexible  evaluation  that  can  be  tailored  for  most  organiza¬ 
tions.  When  applying  OCTAVE,  a  small  team  of  people  from  the  operational  (or  business) 
units  and  the  information  technology  (IT)  department  work  together  to  address  the  security 
needs  of  the  organization,  balancing  the  three  key  aspects  illustrated  in  Figure  1 :  operational 
risk,  security  practices,  and  technology. 

The  OCTAVE  approach  is  driven  by  two  of  the  aspects:  operational  risk  and  security  prac¬ 
tices.  Technology  is  examined  only  in  relation  to  security  practices,  enabling  an  organization 
to  refine  the  view  of  its  current  security  practices.  By  using  the  OCTAVE  approach,  an  or¬ 
ganization  makes  information-protection  decisions  based  on  risks  to  the  confidentiality,  in¬ 
tegrity,  and  availability  of  critical  information-related  assets.  All  aspects  of  risk  (assets, 
threats,  vulnerabilities,  and  organizational  impact)  are  factored  into  decision  making,  ena¬ 
bling  an  organization  to  match  a  practice-based  protection  strategy  to  its  security  risks.  Table 
1  summarizes  key  differences  between  OCTAVE  and  other  evaluations. 


2.2  Overview  of  OCTAVE-S 

OCTAVE-S  is  a  variation  of  the  OCTAVE  approach  that  was  developed  to  meet  the  needs  of 
small,  less  hierarchical  organizations.  It  is  tailored  to  the  more  limited  means  and  unique  con¬ 
straints  typically  found  in  smaller  organizations.  Although  the  “look  and  feel”  of  OCTAVE-S 
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differs  from  than  of  the  OCTAVE  Method,  the  technique  produces  the  same  types  of  results, 
including  an  organization-wide  protection  strategy. 


Table  1:  Key  Differences  Between  OCTAVE [  and  OtherApproaches 


OCTAVE 

Other  Evaluations 

Organization  evaluation 

System  evaluation 

Focus  on  security  practices 

Focus  on  technology 

Strategic  issues 

Tactical  issues 

Self  direction 

Expert  led 

Before  attempting  to  use  OCTAVE-S,  you  need  to  understand  the  following  two  unique  as¬ 
pects  of  the  method: 

1.  A  small  interdisciplinary  analysis  team  of  three  to  five  people  leads  OCTAVE-S.  Collec¬ 
tively,  analysis  team  members  must  have  broad  insight  into  the  organization’s  business 
and  security  processes,  sufficient  to  conduct  all  of  the  OCTAVE-S  activities.  For  this 
reason,  OCTAVE-S  does  not  require  formal  data  gathering  workshops  to  kick-off  the 
evaluation. 
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2.  OCTAVE-S  includes  a  limited  exploration  of  the  computing  infrastructure  during  Phase 
2.  Since  small  organizations  frequently  outsource  their  IT  services  and  functions,  they 
typically  have  not  developed  organizational  capabilities  for  running  and  interpreting  the 
results  of  vulnerability  evaluation  tools.  However,  the  lack  of  an  organizational  capabil¬ 
ity  for  running  such  tools  does  not  preclude  an  organization  from  establishing  a  protec¬ 
tion  strategy.  Rather  than  using  vulnerability  data  to  refine  its  view  of  its  current  security 
practices,  an  organization  conducting  an  OCTAVE-S  evaluation  examines  the  processes 
employed  to  securely  configure  and  maintain  its  computing  infrastructure.  Any  deficien¬ 
cies  in  organizational  capability  are  noted  and  considered  during  Phase  3,  when  the  or¬ 
ganization  develops  its  protection  strategy. 

2.3  OCTAVE-S  Process 

OCTAVE-S  is  a  self-directed  information  security  risk  evaluation.  It  requires  an  analysis 
team  to  examine  the  security  risks  to  an  organization’s  critical  assets  in  relation  to  its  busi¬ 
ness  objectives,  ultimately  yielding  an  organization-wide  protection  strategy  and  asset-based 
risk  mitigation  plans.  By  implementing  the  results  of  OCTAVE-S,  an  organization  stands  to 
better  protect  all  information-related  assets  and  improve  its  overall  security  posture. 

OCTAVE-S  is  based  upon  the  three  phases  described  in  the  OCTAVE  criteria  [Alberts  01b], 
although  the  number  and  sequencing  of  activities  differ  from  those  used  in  the  OCTAVE 
Method.  This  section  provides  a  brief  overview  of  the  phases,  processes,  and  activities  of 
OCTAVE-S. 

2.3.1  Phase  1 :  Build  Asset-Based  Threat  Profiles 

Phase  1  is  an  evaluation  of  organizational  aspects.  During  this  phase,  the  analysis  team  de¬ 
fines  impact  evaluation  criteria  that  will  be  used  later  to  evaluate  risks.  It  also  identifies  im¬ 
portant  organizational  assets  and  evaluates  the  security  current  practice  of  the  organization. 
The  team  completes  all  tasks  by  itself,  collecting  additional  information  only  when  needed.  It 
then  selects  three  to  five  critical  assets  to  analyze  in  depth  based  on  relative  importance  to  the 
organization.  Finally,  the  team  defines  security  requirements  and  defines  a  threat  profile  for 
each  critical  asset.  Table  2  illustrates  the  processes  and  activities  of  Phase  1. 


2.3.2  Phase  2:  Identify  Infrastructure  Vulnerabilities 

During  this  phase,  the  analysis  team  conducts  a  high-level  review  of  the  organization’s  com¬ 
puting  infrastructure,  focusing  on  the  extent  to  which  security  is  considered  by  maintainers  of 
the  infrastructure.  The  analysis  team  first  analyzes  how  people  use  the  computing  infrastruc¬ 
ture  to  access  critical  assets,  yielding  key  classes  of  components  as  well  as  who  is  responsible 
for  configuring  and  maintaining  those  components. 
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Table  2:  Processes  and  Activities  of  Phase  1 


i cuyi^  c-.  i 

Phase 

Process 

Activity 

Phase  1:  Build  Asset- 
Based  Threat  Profiles 

Process  SI:  Identify  Organizational 
Information 

Sl.l  Establish  Impact  Evaluation  Criteria 

S 1 .2  Identify  Organizational  Assets 

SI  .3  Evaluate  Organizational  Security  Prac¬ 
tices 

Process  S2:  Create  Threat  Profiles 

S2.1  Select  Critical  Assets 

S2.2  Identify  Security  Requirements  for  Criti- 
cal  Assets 

S2.3  Identify  Threats  to  Critical  Assets 

S3.2  Analyze  Technology-Related  Processes 

The  team  then  examines  the  extent  to  which  each  responsible  party  includes  security  in  its 
information  technology  practices  and  processes.  The  processes  and  activities  of  Phase  2  are 
shown  in  Table  3. 


Table  3:  Processes  and  Activities  of  Phase  2 


fCUt/IV/  C/.  f  1  wwwww 

Phase 

Process 

Activity 

Phase  2:  Identify  Infra¬ 
structure  Vulnerabilities 

Process  S3:  Examine  Computing 
Infrastructure  in  Relation  to  Critical 

Assets 

S3.1  Examine  Access  Paths 

S3.2  Analyze  Technology-Related  Processes 

2.3.3  Phase  3:  Develop  Security  Strategy  and  Plans 

During  Phase  3,  the  analysis  team  identifies  risks  to  the  organization’s  critical  assets  and  de¬ 
cides  what  to  do  about  them.  Based  on  an  analysis  of  the  information  gathered,  the  team  cre¬ 
ates  a  protection  strategy  for  the  organization  and  mitigation  plans  to  address  the  risks  to  the 
critical  assets.  The  OCTAVE-S  worksheets  used  during  Phase  3  are  highly  structured  and 
tightly  linked  to  the  OCTAVE  catalog  of  practices  [Alberts  01c],  enabling  the  team  to  relate 
its  recommendations  for  improvement  to  an  accepted  benchmark  of  security  practice.  Table  4 
depicts  the  processes  and  activities  of  Phase  3. 


2.4  OCTAVE-S  Outputs 

Information  security  risk  management  requires  a  balance  between  reactive  and  proactive  ac¬ 
tivities.  During  an  OCTAVE-S  evaluation,  the  analysis  team  views  security  from  multiple 
perspectives,  ensuring  that  recommendations  achieve  the  proper  balance  based  on  the  organi¬ 
zation’s  needs. 
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Table  4:  Processes  and  Activities  of  Phase  3 

Phase 

Process 

Activity 

Phase  3:  Develop  Secu¬ 
rity  Strategy  and  Plans 

Process  S4:  Identify  and  Analyze 

Risks 

S4.1  Evaluate  Impacts  of  Threats 

S4.2  Establish  Probability  Evaluation  Criteria 

S4.3  Evaluate  Probabilities  of  Threats 

Process  S5:  Develop  Protection 
Strategy  and  Mitigation  Plans 

S5.1  Describe  Current  Protection  Strategy 

S5.2  Select  Mitigation  Approaches 

S5.3  Develop  Risk  Mitigation  Plans 

S5.4  Identify  Changes  to  Protection  Strategy 

S5.5  Identify  Next  Steps 

When  forming  recommendations  for  improving  the  organization  s  security  practices,  the 
team  assumes  a  proactive  point  of  view,  analyzing  security  issues  from  both  an  organization- 
wide  perspective  and  an  asset-specific  perspective.  At  any  time  during  the  evaluation,  a  team 
might  also  take  a  more  reactive  stand  by  identifying  actions  items  intended  to  address  spe¬ 
cific  weaknesses.  These  action  items  are  considered  to  be  more  reactive  in  nature  because 
they  often  fill  an  immediate  gap  rather  than  improving  the  organization  s  security  practices. 

The  main  results  of  OCTAVE-S  are  thus  three-tiered  and  include 

•  organization-wide  protection  strategy  —  The  protection  strategy  outlines  the  organiza¬ 
tion’s  direction  with  respect  to  its  information  security  practice. 

•  risk  mitigation  plans  -  These  plans  are  intended  to  mitigate  risks  to  critical  assets  by  im¬ 
proving  selected  security  practices. 

•  action  list  -  These  include  short-term  action  items  needed  to  address  specific  weaknesses. 
Other  useful  outputs  of  OCTAVE-S  include 

•  a  listing  of  important  information-related  assets  supporting  the  organization’s  business 
goals  and  objectives 

•  survey  results  showing  the  extent  to  which  the  organization  is  following  good  security 
practice 

•  a  risk  profile  for  each  critical  asset  depicting  a  range  of  risks  to  that  asset 

Each  phase  of  OCTAVE-S  produces  usable  results,  so  even  a  partial  evaluation  will  produce 
information  useful  for  improving  an  organization’s  security  posture. 

2.5  Scope  of  Application 

OCTAVE-S  was  developed  and  piloted  with  small  organizations,  ranging  from  20  to  80  peo¬ 
ple  in  size.  The  pilot  organizations  shared  a  couple  of  common  characteristics.  First,  their 
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organizational  structures  were  relatively  flat,  and  people  from  different  organizational  levels 
were  accustomed  to  working  with  each  other.  Second,  people  were  often  required  to  multi¬ 
task,  exposing  staff  members  to  the  processes  and  procedures  used  across  the  organization. 
Thus,  those  organizations  were  able  to  assemble  a  team  of  three  to  five  people  that 

•  included  people  from  multiple  organizational  levels,  including  senior  management 

•  had  broad  knowledge  of  the  organization’s  business  and  security  processes 

The  breadth  of  an  analysis  team’s  knowledge,  rather  than  size  of  an  organization,  becomes  a 
key  differentiator  between  OCTAVE-S  and  the  OCTAVE  Method.  No  matter  the  size  of  an 
organization,  if  it  can  assemble  a  team  of  three  to  five  people  who  have  broad  insight  into  the 
organization’s  business  and  security  processes,  then  the  organization  is  potentially  a  good 
candidate  to  conduct  OCTAVE-S. 

For  example,  a  200-person  company  with  a  flat  organizational  structure,  where  many  people 
have  rotated  throughout  the  company’s  departments  over  the  years,  may  be  a  candidate  to 
conduct  OCTAVE-S.  That  organization  could  plausibly  assemble  an  analysis  team  whose 
members  have  sufficient  knowledge  of  business  processes  employed  across  the  company. 

On  the  other  hand,  a  company  of  80  people  dispersed  across  multiple  sites  and  with  an  ex¬ 
tremely  stovepiped  organizational  structure  (e.g.,  9  distinct  departments  whose  personnel  do 
not  have  much  interaction)  might  not  be  a  candidate  for  OCTAVE-S.  That  organization 
probably  will  not  be  able  to  assemble  an  analysis  team  whose  members  have  insight  into  all 

departments. 

2.5.1  Should  You  Use  OCTAVE-S? 

The  following  set  of  questions  should  be  used  to  help  determine  the  applicability  of 
OCTAVE-S  to  your  organization: 

•  Is  your  organization  small?  Does  it  have  a  flat  or  simple  hierarchical  structure? 

•  Can  you  find  a  group  of  three  to  five  people  for  the  analysis  team  who  have  a  broad  and 
deep  understanding  of  the  company  and  also  possess  most  of  the  following  skills? 

-  problem-solving  ability 

-  analytical  ability 

-  ability  to  work  in  a  team 

-  at  least  one  member  with  leadership  skills 

-  ability  to  spend  a  few  days  working  on  this  method 

•  Do  you  outsource  all  or  most  of  your  information  technology  functions? 

•  Do  you  have  a  relatively  simple  information  technology  infrastructure  that  is  well  under¬ 
stood  by  at  least  one  individual  in  your  organization? 

•  Do  you  have  limited  familiarity  with  vulnerability  evaluation  tools  within  the  context  of 
information-related  assets  or  are  you  unable  to  obtain  the  use  of  this  expertise  from  cur¬ 
rent  service  provider  to  interpret  results? 
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•  Do  you  prefer  a  highly  structured  method  as  opposed  an  open-ended  method  that  can  be 
more  easily  tailored? 

If  you  can  answer  “yes”  to  all  of  these  questions,  OCTAVE-S  should  work  for  you.  A  major¬ 
ity  of  “yes”  answers  implies  that  it  will  probably  work  for  you,  but  caution  is  advised.  While 
OCTAVE-S  may  still  be  useful  outside  of  these  boundaries,  the  results  cannot  be  guaranteed. 

2.5.2  Words  of  Caution 

Some  people  might  consider  using  OCTAVE-S  within  individual  projects,  lines  of  business, 
or  departments,  subsequently  integrating  the  results  to  get  the  organization-wide  perspective. 
Theoretically,  using  OCTAVE-S  in  this  manner  could  work;  however,  we  have  neither  em¬ 
pirical  data  to  support  this  theory  nor  any  guidance  about  what  the  “integration”  process 
might  require. 
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OCTAVE-S  can  be  downloaded  from  the  Web  at  <http://www.cert.org/octave>.  The  follow¬ 
ing  list  describes  the  materials  that  are  provided: 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each 
OCTAVE-S  activity. 

•  Volume  4:  Organizational  Information  Workbook  -  This  volume  provides  worksheets  for 
all  organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets 
to  document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 

OCTAVE-S  is  not  as  completely  documented  as  the  OCTAVE  Method.  The  materials  pro¬ 
vided  for  OCTAVE-S  constitute  the  minimal  set  of  materials  needed  to  perform  the  evalua¬ 
tion. 


3.1  Navigation  Aid  for  Downloadable  Materials 

Each  volume  of  the  OCTAVE-S  Implementation  Guide  contains  an  initial  section  describing 
the  contents  of  that  volume.  The  navigational  aid  contained  in  this  introductory  volume  pro¬ 
vides  an  overall  map  of  the  contents  of  the  guide.  The  process  chart,  which  begins  on  the  next 
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page,  is  a  cross-reference  of  the  processes,  activities,  and  steps  of  OCTAVE-S iwith  the  vol- 
umes  in  which  you  will  find  the  associated  worksheets.  As  you  conduct  an  OCTA 
evaluation,  you  can  use  the  process  chart  as  a  quick  reference  to  worksheets  or  to  reorient 
yourself  should  you  lose  track  of  where  you  are  in  the  process. 


When  you  are  ready  to  begin  an  OCTAVE-S  evaluation,  you  should  start  by  looking  at  Vol¬ 
ume  2:  Preparation  Guidelines  to  help  you  plan  and  structure  the  evaluation.  You  can  use 
Volume  3:  Method  Guidelines  to  learn  about  how  to  conduct  each  process,  activity,  and  s  ep. 
You  will  find  the  OCTAVE-S  worksheets  in  Volumes  4-9.  Finally,  you  can  use  Volume  /  . 
Example  Scenario  to  better  understand  the  type  of  results  you  should  get  from  applying 

OCTAVE-S. 
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3.2  Additional  Sources  of  Help 

The  OCTAVE  approach  and  the  two  methods  were  developed  to  be  self-directed  (i.e.,  per¬ 
formed  by  an  organization  on  itself,  using  external  assistance  only  as  required  or  desired). 
However,  given  that  OCTAVE-S  is  a  beta  version,  some  organizations  may  need  additional 
assistance.  Training  is  recommended  for  those  with  little  or  no  experience  with  the  OCTAVE 
approach.  Another  source  of  additional  information  and  background  is  the  book,  Managing 
Information  Security  Risks  [Alberts  02].  Anyone  who  has  already  had  OCTAVE  Method 
training,  used  the  OCTAVE  Method,  or  read  the  book  is  in  a  better  position  to  understand 
and  use  OCTAVE-S.  For  more  information  about  training  and  the  book,  see 
<http://www.cert.org/octave>. 


For  other  information,  see  also 

•  OCT  A  VE  Criteria  technical  report  [Alberts  0 1  b] 

•  Introduction  to  the  OCTAVE  Approach  [Web  paper,  see  <http://www.cert.org/octave>] 

•  OCTAVE  Method  Implementation  Guide,  V2.0  [Alberts  Ola] 
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